1 <?xml version="1.0" encoding='UTF-8'?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
5 <refentry id="pam_listfile">
8 <refentrytitle>pam_listfile</refentrytitle>
9 <manvolnum>8</manvolnum>
10 <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
13 <refnamediv id="pam_listfile-name">
14 <refname>pam_listfile</refname>
15 <refpurpose>deny or allow services based on an arbitrary file</refpurpose>
19 <cmdsynopsis id="pam_listfile-cmdsynopsis">
20 <command>pam_listfile.so</command>
22 item=[tty|user|rhost|ruser|group|shell]
28 file=<replaceable>/path/filename</replaceable>
34 apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>]
42 <refsect1 id="pam_listfile-description">
44 <title>DESCRIPTION</title>
47 pam_listfile is a PAM module which provides a way to deny or
48 allow services based on an arbitrary file.
51 The module gets the <option>item</option> of the type specified --
52 <emphasis>user</emphasis> specifies the username,
53 <emphasis>PAM_USER</emphasis>; tty specifies the name of the terminal
54 over which the request has been made, <emphasis>PAM_TTY</emphasis>;
55 rhost specifies the name of the remote host (if any) from which the
56 request was made, <emphasis>PAM_RHOST</emphasis>; and ruser specifies
57 the name of the remote user (if available) who made the request,
58 <emphasis>PAM_RUSER</emphasis> -- and looks for an instance of that
59 item in the <option>file=<replaceable>filename</replaceable></option>.
60 <filename>filename</filename> contains one line per item listed. If
61 the item is found, then if
62 <option>sense=<replaceable>allow</replaceable></option>,
63 <emphasis>PAM_SUCCESS</emphasis> is returned, causing the authorization
64 request to succeed; else if
65 <option>sense=<replaceable>deny</replaceable></option>,
66 <emphasis>PAM_AUTH_ERR</emphasis> is returned, causing the authorization
70 If an error is encountered (for instance, if
71 <filename>filename</filename> does not exist, or a poorly-constructed
72 argument is encountered), then if <emphasis>onerr=succeed</emphasis>,
73 <emphasis>PAM_SUCCESS</emphasis> is returned, otherwise if
74 <emphasis>onerr=fail</emphasis>, <emphasis>PAM_AUTH_ERR</emphasis> or
75 <emphasis>PAM_SERVICE_ERR</emphasis> (as appropriate) will be returned.
78 An additional argument, <option>apply=</option>, can be used
79 to restrict the application of the above to a specific user
80 (<option>apply=<replaceable>username</replaceable></option>)
82 (<option>apply=<replaceable>@groupname</replaceable></option>).
83 This added restriction is only meaningful when used with the
84 <emphasis>tty</emphasis>, <emphasis>rhost</emphasis> and
85 <emphasis>shell</emphasis> items.
88 Besides this last one, all arguments should be specified; do not
89 count on any default behavior.
92 No credentials are awarded by this module.
96 <refsect1 id="pam_listfile-options">
98 <title>OPTIONS</title>
104 <option>item=[tty|user|rhost|ruser|group|shell]</option>
108 What is listed in the file and should be checked for.
115 <option>sense=[allow|deny]</option>
119 Action to take if found in file, if the item is NOT found in
120 the file, then the opposite action is requested.
127 <option>file=<replaceable>/path/filename</replaceable></option>
131 File containing one item per line. The file needs to be a plain
132 file and not world writable.
139 <option>onerr=[succeed|fail]</option>
143 What to do if something weird happens like being unable to open
151 <option>apply=[<replaceable>user</replaceable>|<replaceable>@group</replaceable>]</option>
155 Restrict the user class for which the restriction apply. Note that
156 with <option>item=[user|ruser|group]</option> this does not make sense,
157 but for <option>item=[tty|rhost|shell]</option> it have a meaning.
164 <option>quiet</option>
168 Do not treat service refusals or missing list files as
169 errors that need to be logged.
178 <refsect1 id="pam_listfile-types">
179 <title>MODULE TYPES PROVIDED</title>
181 All module types (<option>auth</option>, <option>account</option>,
182 <option>password</option> and <option>session</option>) are provided.
186 <refsect1 id='pam_listfile-return_values'>
187 <title>RETURN VALUES</title>
192 <term>PAM_AUTH_ERR</term>
194 <para>Authentication failure.</para>
199 <term>PAM_BUF_ERR</term>
208 <term>PAM_IGNORE</term>
211 The rule does not apply to the <option>apply</option> option.
217 <term>PAM_SERVICE_ERR</term>
220 Error in service module.
226 <term>PAM_SUCCESS</term>
238 <refsect1 id='pam_listfile-examples'>
239 <title>EXAMPLES</title>
241 Classic 'ftpusers' authentication can be implemented with this entry
242 in <filename>/etc/pam.d/ftpd</filename>:
245 # deny ftp-access to users listed in the /etc/ftpusers file
247 auth required pam_listfile.so \
248 onerr=succeed item=user sense=deny file=/etc/ftpusers
250 Note, users listed in <filename>/etc/ftpusers</filename> file are
251 (counterintuitively) <emphasis>not</emphasis> allowed access to
255 To allow login access only for certain users, you can use a
256 <filename>/etc/pam.d/login</filename> entry like this:
259 # permit login to users listed in /etc/loginusers
261 auth required pam_listfile.so \
262 onerr=fail item=user sense=allow file=/etc/loginusers
264 For this example to work, all users who are allowed to use the
265 login service should be listed in the file
266 <filename>/etc/loginusers</filename>. Unless you are explicitly
267 trying to lock out root, make sure that when you do this, you leave
268 a way for root to log in, either by listing root in
269 <filename>/etc/loginusers</filename>, or by listing a user who is
270 able to <emphasis>su</emphasis> to the root account.
274 <refsect1 id='pam_listfile-see_also'>
275 <title>SEE ALSO</title>
278 <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
281 <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
284 <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
289 <refsect1 id='pam_listfile-author'>
290 <title>AUTHOR</title>
292 pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com>
293 and Elliot Lee <sopwith@cuc.edu>.